Bonder firewall

Bonders come with a firewall that restricts traffic destined to them except under certain circumstances described below.

Bonding INPUT traffic

  1. DHCP traffic on the connected IP interface, if enabled, IPv4 only
  • Accept UDP traffic on the connected IP interface, source port 68 and destination port 67
  • Accept TCP and UDP traffic on the connected IP interface and destination port 53
  1. DHCPv6 traffic on UDP source port 546 and destination port 547, if enabled, IPv6 only
  • Accept traffic on the connected IP interface
  1. Accept traffic on the management interface, sourced from the management server VPN IP and destined for the node management VPN IP
  2. Web server TCP traffic on destination port 80, if enabled
  • Accept traffic on connected IP interface and destined for the connected IP
  1. TCP proxy traffic, if enabled
  • Accept TCP traffic on bond-specific transparent destination port
  1. Tunnel traffic
  • Accept traffic on tunnel interface and sourced from the tunnel peer IP
  1. UDP leg traffic
  • Accept UDP traffic on source port 547 and destination port 546 (IPv6 only)
  • Accept on the leg-specific UDP destination tunnel port and destined for the leg IP address
  1. TCP configuration traffic on destination port 8003
  • Accept traffic on the management interface, sourced from the management server VPN IP and destined for the node management VPN IP (only IPv4)
  • Reject everything else on TCP destination port 8003

Other INPUT traffic

  1. Accept any IP range that has been added to the “known_ips” list to be granted firewall access
  2. Accept all traffic on eth0 that is sourced from 10.207.35.248/29 for local troubleshooting access
  3. Accept all traffic on eth0 that is sourced from 192.168.1.0/24 for legacy local troubleshooting access
  4. Accept all ICMP and ICMPv6 traffic
  5. Accept all traffic from established/related connections
  6. Reject everything else

Note

More firewall customization options are available and documented here: